RE: MS DNS and AD question

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 10/26/01 

Subject: RE: MS DNS and AD question
Date: Fri, 26 Oct 2001 13:47:13 -0700
Message-ID: <9D884881F5E1F24FB845967851720FC301A6F3DF@red-msg-12.redmond.corp.microsoft.com>
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: "James Fullerton" <James@RS25.com>, <focus-ms@securityfocus.com>

Hi James,

        My first question would be "why is your AD anywhere near the
Internet?" ..but ignoring that for the moment, you can separate your
internal and external zones without special security settings in two
ways:
1. Create your internal zone as a logical subzone of your external
(int.domain.tld)
2. Create (and register) an entirely separate zone for the AD and its
children

Do you need to provide zone transfers to external folks at all?

* Jim Harrison
MCP(NT4, 2K), A+, Network+

-----Original Message-----
From: James Fullerton [mailto:James@RS25.com]
Sent: Friday, October 26, 2001 08:40
To: focus-ms@securityfocus.com
Subject: MS DNS and AD question

I'm using MS DNS and AD, and AD publishes my internal IP addresses to
anyone who wants to see them (using nslookup for example). I would like
to prevent that from happening, and keep my internal IP addresses hidden
(i.e., 10.0.0.2 should not be visible). Short of setting up separate
internal and external DNS servers, can this be done? If so, can someone
please direct me to directions or provide details?

Microsoft's weak answer:
It is possible to keep the two zones on one server and to integrate the
zone with the Active Directory security features. With proper access
control to the DNS files in Active Directory, one might be able to
restrict internal DNS queries to authenticated users only. However, we
have not verified this solution. The complexity of this solution would
require extensive testing to ensure proper settings are being made and
no internal information is being erroneously exported to the Internet.

Thanks,

James F
James@RS25.com
(303) 913 - 6998

Relevant Pages

  • Re: DNS domain name same as AD domain
    ... Or should I change the DNS domain first to something else? ... For any host name that you wish to have access from both your internal network and from the external Internet you need scenario 1, although it is the most DNS-intensive over time. ... Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet. ...
    (microsoft.public.windows.server.dns)
  • Re: .com versus.local
    ... DNS and public names on the internet etc but I have never had someone ... All DNS entries are help at the ISP. ... external Internet you need scenario 1, although it is the most DNS-intensive ... Each DNS zone is authoritative for the zone of that name so ...
    (microsoft.public.windows.server.dns)
  • Re: AD DNS naming
    ... my e-mail and Site Internet." ... infrastructure (mostly with respect to DNS and VPN). ... If you do not select this option and go with scenario 2 ... Each DNS zone is authoritative for the zone of that ...
    (microsoft.public.windows.server.dns)
  • Re: How many Global Catalog Servers are needed?
    ... make for an AD DNS FQDN domain name, ... external Internet you need scenario 1, although it is the most DNS-intensive ... Each DNS zone is authoritative for the zone of that name so ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain naming strategies
    ... a delegation to an unreachable internal dns server. ... my e-mail and Site Internet." ... network and from the external Internet you need scenario 1, ... Each DNS zone is authoritative for the zone of that name so ...
    (microsoft.public.windows.server.active_directory)